Linux Foundation's CII Funds Efforts to Prevent the Next Heartbleed

By Sean Michael Kerner |
Posted 2014-05-29

The Linux Foundation is making good on its promise to help prevent the next Heartbleed before it happens. On April 24, the Linux Foundation announced its Core Infrastructure Initiative (CII) to fund open-source projects, and it is now providing details on which projects it will initially help to secure.

The Heartbleed security flaw, disclosed April 7, is a vulnerability in the open-source OpenSSL cryptographic library that is widely used on servers and embedded devices around the world. One of the many potential reasons why Heartbleed occurred in the first place is due to a lack of resources and funding, which is something that CII aims to correct.

Jim Zemlin, executive director of the Linux Foundation, told eWEEK that to date CII has raised $5.4 million in funding. The effort now includes the participation of Adobe, Bloomberg, Hewlett-Packard and Salesforce.com. Those vendors join VMware, Rackspace, NetApp, Microsoft, Intel, IBM, Google, Fujitsu, Facebook, Dell, Amazon and Cisco, which joined CII in April.

With the funding in hand, CII has now also put together an advisory board made up of well-known industry experts to help direct where the money should go. The advisory board includes Linux kernel developers Alan Cox and Ted T'so, John Hopkins University professor Matthew Green, Columbia University professor Eben Moglen and renowned cryptography expert Bruce Schneier.

"The advisory board members are volunteering their time to help inform CII," Zemlin said. "We're grateful for their generous support."

In terms of which projects will be funded by CII, the first three will be OpenSSL, OpenSSH and the Network Time Protocol (NTP). For the OpenSSL project, CII is providing funding for two full-time core developers as well as the money to facilitate a code audit to be performed by the Open Crypto Audit Project (OCAP).

"We don't disclose specific dollar figures for the projects CII funds, but we're happy to be able to support OpenSSL and the essential audit to be conducted by OCAP," Zemlin said.

Funding OpenSSL is an obvious choice for CII as it is the technology that is at the heart of the Heartbleed saga. As to why NTP and OpenSSH are getting funding, Zemlin said they are both critical and universally used open-source software projects and protocols.

"CII focuses funding priorities on projects that support critical, global technology infrastructure but are not currently receiving the level of support warranted by their important role in society," Zemlin said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.